M365 can send but not receive email

[HCHTech]

This is one of my own emails, and I'm unable to make any progress in troubleshooting.

From Outlook, I can send, but there has been no email received since Saturday. Test messages I've sent from several other email addresses do not bounce, they just disappear into the ether. I had a customer text me that his reply to one of my emails to him last week bounced, but I couldn't get that bounce message from him, and none of the test emails I sent from various other accounts bounced for me. I did a message trace for any incoming mail from his address, but that came up empty.

I have several rules in Outlook, but no new ones and no suspicious ones. No new email in the junk folder.

From OWA, I have the same symptom. I can send but not receive email. No suspicious rules, no new emails period, even in junk since Saturday.

I am not pushing any storage limits. I think the mailbox size is just north of 3GB.

Doing a message trace in EAC shows no messages found when looking for any incoming email to that address, and no messages found when looking for any of the various test messages I've sent when specifying only the sender as the trace target.

In OWA, I *can* send a message to myself and receive it - and I also receive that message in Outlook.

This has to be DNS, then, right? I haven't made any DNS changes recently, but took a look in Cloudflare anyway. Nothing new, nothing out of the ordinary, either.

In the M365 Admin center, the domain tests as healthy. I double checked that I have the correct MX record. The service health looks good.

I went to testconnectivity.microsoft.com and did the inbound SMTP test, which verified successfully. The remote connectivity test was also successful.

Account is protected with a good password and 2FA.

I was going to remove and re-add the account to Outlook, but since the problem exists in OWA as well, this isn't an Outlook issue.

I have other M365 addresses with different domains and they all appear to be functioning normally.

I have one other email under the problem domain which is used to receive various notifications, and that email is also not receiving anything new. I *CAN* however send email from one of the problem domain accounts to the other and vice versa.

I'm out of ideas - really. I think I need to open a ticket with MS.

 

[Sky-Knight]

Message trace, in the Exchange admin panel.

DNS impacts the entire tenant, not individual mailboxes. The M365 admin panel has a checker in the domain screen to see this, if that's green... you're good there.

Go run a message trace, for anything destined to that mailbox. Read the errors, stop guessing.

 

[HCHTech]

Go run a message trace, for anything destined to that mailbox. Read the errors, stop guessing.

Did that. All messages traces come up empty. No messages found. Nothing has been received by the tenant for any account since Saturday. I've sent probably 30 test messages from various places. None of them are found with a message trace. So somehow, nothing destined for the domain is making it to the domain. As far as I can tell, anyway.

 

[callthatgirl]

resolved yet?

my client today had a huge breach and she could not send but receive. After 2 hours of brutal going though her entire 365 admin panel, found activities that were so damn good by the hackers, that Microsoft tech even complimented them. We removed a connector and verified that MFA was on for the admin accounts --MS released the entire domain from the block. They even hit her domain DNS which was insane, I called the registrar and removed all these crazy email reply smtp settings. I was in awe the entire day. No financial loss but the client had MFA on and everyone was like WTAF. They both used their phones for admin panel, so the phones were probably compromised I'm guessing.

For you, weird. Send me the email, I'll send you the bounce. lisa@callthatgirl.biz

 

[YeOldeStonecat]

This one is odd....curious how it will pan out.
The obvious was covered...message tracking center.
If a bad actor got in..and created forwarding rules 'n such....IMO..message tracking center would still note incoming emails.
Even if a connector was added, IMO (I might be wrong here)..message tracking should still note incoming emails.
Hmmm...maybe there is some powershell they ran to delete message tracking of incoming....hmmm.

ANYways, where else to scratch....pour through EAC and look for connectors
Look online for rules
And...go to AzureAdmin.....logins for all users....go back as far as you can.

 

[HCHTech]

Not yet resolved - will keep looking today. I did open a ticket with Microsoft since it may well be a block, but any blocks I've seen in the past always resulted in bounce messages. It's never great timing for stuff like this, but ugh, we are in the middle of several projects, so its definitely a wrench in the works.

 

[HCHTech]

ANYways, where else to scratch....pour through EAC and look for connectors
Look online for rules

No connectors at all, no rules other than the ones that were already there, and I've looked in detail at each one of those - basically just "put emails from this sender into this folder". All are as written.

The incoming mail report shows no emails at all received by the tenant after the time the problem started on Saturday.

I'm in the Azure admin now. Ticket is open with Microsoft, their acknowledgement email says expect a response in "8". No units, so I don't know if that hour or days or weeks - haha.

 

[YeOldeStonecat]

What licenses on the tenant?
Any tenant without at least AzureP1...you're pretty SOL for in depth locking down a tenant and recon/investigation. AzureP1 gives you ability to use Conditional Access...and that allows you to have a trunkful of goodies to clamp down a tenant and get alerts.
Having an AzureP2 adds another trunkful of goodies...such as risk alerts and...adding various "risks" as an ingredient in your conditional access policies.

 

[HCHTech]

I finally got a bounce message (from one of the test messages I sent almost 24 hours ago!). The important bit is here:

Remote server returned '550 5.4.300 Message expired -> 451 4.4.4 Mail received as unauthenticated, incoming to a recipient domain configured in a hosted tenant which has no mail-enabled subscriptions. ATTR5 [SA2PEPF00003F63.namprd04.prod.outlook.com 2024-07-10T13:37:10.086Z 08DC9E21CF330945]'

This is under my MAPS account, which renewed (and reactivated with a new key) back on June 5th, so I'm guessing the renewal went wonky on their end somehow. God Dammit. You would think there would be a big banner in the tenant somewhere alerting you to a problem, but no, that would be too easy. Way to make me feel I'm getting my $500 worth, Microsoft.

 

[Sky-Knight]

MAPs gives you keys you have to use on the tenant... manually...

So go check your subscriptions, if they've expired it's because you didn't apply them. Also, if you don't read it'll let you double up on your license count, but nuke your duration... if you did that on a MAPS key you've burned it, and it's done. So you'll be stuck paying for M365 subscriptions elsewhere...

Oh, and you have to buy them direct, because you cannot use reseller sourced subscriptions on a partner tenant legally.

It does bug you... but via email.

 

[HCHTech]

I went through the reactivation back in June, and the users show as having the license in the admin center. I even saved the key in my documentation system since it changes every year. I heard back from the support ticket, so I just gave them all of the data - I'm hoping something just needs to be reset on their end...

 

[YeOldeStonecat]

Yeah MAPs got pretty useless, we stopped using it a while ago, best offer they have for 365 is E3 licenses. Meh.
Switch over to https://learn.microsoft.com/en-us/partner-center/membership/partner-launch-benefits

 

[Sky-Knight]

Yeah MAPs got pretty useless, we stopped using it a while ago, best offer they have for 365 is E3 licenses. Meh.
Switch over to https://learn.microsoft.com/en-us/partner-center/membership/partner-launch-benefits

It's not just the E3, there's Intune, and the security and mobility bundle.

The features are all there, but it's not the simple "business premium" that it needs to be.

I still use it, and I abuse the heck out of that $100 / month Azure credit they provide.

 

[HCHTech]

Support dude says they are resetting the activation. Once I see the licenses go to 'deactivated' status, I should be able to activate them again. Here's hoping.

 

[Sky-Knight]

Support dude says they are resetting the activation. Once I see the licenses go to 'deactivated' status, I should be able to activate them again. Here's hoping.

I just hope you haven't lost any data, because if the grace period has "expired" and it's de-provisioning things... that's dataloss territory.

You should be OK, because the mail flow condition is imposed VERY EARLY because it generates support tickets prior to actual data loss. But you're VERY close to that line.

 

[YeOldeStonecat]

It's not just the E3, there's Intune, and the security and mobility bundle.

The features are all there, but it's not the simple "business premium" that it needs to be.

I still use it, and I abuse the heck out of that $100 / month Azure credit they provide.

Yeah I remember piece mealing those. For "most" of the features I wanted..but not "all" the features...of Biz Prem.

 

[HCHTech]

Well just finished the re-activation 5 minutes ago - and the licensing looks happy again. I see the original E3s as deactivated, but a new entry for the same number of E3s with an expiration date of 7/10/25. The MAPS still shows as expiring 6/5/25. More to the point, I've gotten 3 new email messages in the last minute or so. I'm sure there will be a few hundred more on the way. I won't know the true impact until everything is caught up again, I suspect. I made a note in our documentation to review activation status a couple of weeks after the renewal next year, just to try and head off something like this happening again. What a mess. We definitely get our money's worth from the MAPS but this headache has certainly soured my opinion a bit.

 

[Markverhyden]

All I can say is MAPS renewal always seems to cause problems with all the E3 stuff that comes with it. For me it seems to be the Azure VM's.

 

[Sky-Knight]

Yeah I remember piece mealing those. For "most" of the features I wanted..but not "all" the features...of Biz Prem.

Yeah it's notably lacking all the Defender components... which is a huge problem.

 

[Sky-Knight]

Well just finished the re-activation 5 minutes ago - and the licensing looks happy again. I see the original E3s as deactivated, but a new entry for the same number of E3s with an expiration date of 7/10/25. The MAPS still shows as expiring 6/5/25. More to the point, I've gotten 3 new email messages in the last minute or so. I'm sure there will be a few hundred more on the way. I won't know the true impact until everything is caught up again, I suspect. I made a note in our documentation to review activation status a couple of weeks after the renewal next year, just to try and head off something like this happening again. What a mess. We definitely get our money's worth from the MAPS but this headache has certainly soured my opinion a bit.

The expiration misalignment is normal. The MAPS expires when you pay for it, the M365 license expires a year after you REDEEM it. There are THREE of them, and if you don't do them all on the same day they are misaligned. I intentionally have mine set on a 1 month delay. My MAPS renews December, my M365 licenses renew January.

That way I can control the renewal process, it's a bit of a juggle.